Skip to content

Commit fc0c615

Browse files
dev-fortressdev-fortress
authored
Update aws-credentials.py
Refined AWS credentials detection: updated both Bash and PowerShell scripts to search only for files named 'credentials' that contain the keyword 'aws', which is consistently present in relevant AWS configuration files. Removed 'config' from the scope after confirming it contains no useful information. Also suppressed 'permission denied' errors in the Bash script for cleaner output during scans. Signed-off-by: Braiant Giraldo <33358096+dev-fortress@users.noreply.github.com>
1 parent ef7e974 commit fc0c615

1 file changed

Lines changed: 14 additions & 17 deletions

File tree

nxc/modules/aws-credentials.py

Lines changed: 14 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -14,35 +14,32 @@ class NXCModule:
1414
def __init__(self):
1515
self.search_path_linux = "'/home/' '/tmp/'"
1616
self.search_path_win = "'C:\\Users\\', 'C:\\ProgramData\\AWSCLI\\', 'C:\\Temp\\'"
17+
1718

1819
def options(self, context, module_options):
1920
r"""
2021
SEARCH_PATH_LINUX Linux location where to search for aws credentials related files
21-
Default: "'/home/' '/tmp/'"
22-
22+
Default: '/home/ - /tmp/'
23+
2324
SEARCH_PATH_WIN Windows locations where to search for aws credentials related files
24-
Default: "'C:\\Users\\', 'C:\\ProgramData\\AWSCLI\\', 'C:\\Temp\\'"
25+
Default: 'C:\\Users\\ - C:\\ProgramData\\AWSCLI\\ - C:\\Temp\\
2526
"""
2627
if "SEARCH_PATH_LINUX" in module_options:
2728
self.search_path_linux = module_options["SEARCH_PATH_LINUX"]
2829

2930
if "SEARCH_PATH_WIN" in module_options:
3031
self.search_path_win = module_options["SEARCH_PATH_WIN"]
3132

32-
def on_login(self, context, connection):
33-
# search for aws_credentials-related files on linux systems
33+
def on_login(self, context, connection):
34+
# search for aws_credentials-related files on linux systems
3435
if "ssh" in context.protocol:
35-
search_aws_creds_files_payload = f"find {self.search_path_linux} -type f -name credentials -o -name credentials.bk -o -name config.bk -o -name config"
36+
search_aws_creds_files_payload = "find %s -type f -name credentials -exec grep -l 'aws_' {} \\; 2>&1 | grep -v 'Permission denied$'" % (self.search_path_linux)
3637
search_aws_creds_files_cmd = f'/bin/bash -c "{search_aws_creds_files_payload}"'
37-
output = connection.execute(search_aws_creds_files_cmd)
38+
search_aws_creds_files_output = connection.execute(search_aws_creds_files_cmd, False)
39+
context.log.highlight(f"The following files were found: {search_aws_creds_files_output}")
3840
else:
39-
# search for aws_credentials-related files on windows systems
40-
# we have to exclude "Application Data" as this creates an infinite recursion, see: https://www.reddit.com/r/PowerShell/comments/17pctnv/symbolic_link_application_data_in_appdatalocal/
41-
search_aws_creds_files_payload_win = f"Get-ChildItem -Path {self.search_path_win} -Recurse -Include ('credentials','credentials.bk','config','config.bk') -Force -ErrorAction SilentlyContinue | ? {{ $_.FullName -inotmatch 'Application Data' }} | Select FullName -ExpandProperty FullName"
42-
search_aws_creds_files_cmd_win = f'powershell.exe "{search_aws_creds_files_payload_win}"'
43-
output = connection.execute(search_aws_creds_files_cmd_win, True)
44-
45-
if output:
46-
context.log.success("The following files were found:")
47-
for line in output.splitlines():
48-
context.log.highlight(line.rstrip())
41+
# search for aws_credentials-related files on windows systems
42+
search_aws_creds_files_payload_win = "Get-ChildItem -Path %s -Recurse -Force -Include 'credentials' -File -ErrorAction SilentlyContinue | Where-Object { Select-String -Path $_.FullName -Pattern 'aws' -Quiet } | Select-Object -ExpandProperty FullName" % (self.search_path_win)
43+
search_aws_creds_files_cmd_win = f'powershell.exe "{search_aws_creds_files_payload_win}"'
44+
search_aws_creds_files_output_win = connection.execute(search_aws_creds_files_cmd_win, False)
45+
context.log.highlight(f"The following files were found: {search_aws_creds_files_output_win}")

0 commit comments

Comments
 (0)